Переглянути джерело

Merge "rpm-distro: ensure we selinux relabel underlying directories"

tags/2.27.0
Zuul 1 місяць тому
джерело
коміт
f4698b5864

+ 32
- 3
diskimage_builder/elements/rpm-distro/cleanup.d/99-selinux-fixfiles-restore Переглянути файл

@@ -70,9 +70,38 @@ for MOUNTPOINT in "${SPLIT_MOUNTS[@]}"; do
70 70
             echo "*** SELinux enabled and kauditd not found, suggesting auditing support is disabled in the host kernel. setfiles will fail without this, please enable and rebuild"
71 71
             exit 1
72 72
         fi
73
-        sudo ${_runcon} chroot ${TARGET_ROOT} \
74
-            /usr/sbin/setfiles -F ${_dash_m} \
75
-            /etc/selinux/targeted/contexts/files/file_contexts ${MOUNTPOINT}
73
+
74
+        if [[ ${MOUNTPOINT} == "/" ]]; then
75
+            # If you don't label /dev, /proc and /sys (the actual,
76
+            # on-disk directory in the image) correctly, it will have
77
+            # bad effects when things like systemd try to do things
78
+            # like make network or process namespaces.  This generally
79
+            # leads to obscure and hard-to-debug failures; [1] has
80
+            # plenty of examples.
81
+            #
82
+            # But right now, /{dev,proc,sys} are mounted!  With the
83
+            # extant block-device code, we do not have a point to
84
+            # break in when these are unmounted, but before we've
85
+            # unmounted everything.  So we do a hack; for the root
86
+            # directory, we bind mount the target so we see the
87
+            # underlying directories, and then run setfiles on that.
88
+            #
89
+            # XXX: we might be able to uncondtionally do this for all
90
+            #      mountpoints?  leaving well enough alone for now...
91
+            #
92
+            # [1] https://bugzilla.redhat.com/show_bug.cgi?id=1663040
93
+            TMP_BIND_MOUNT=$(mktemp -d)
94
+            sudo mount --bind ${TARGET_ROOT} ${TMP_BIND_MOUNT}
95
+            sudo ${_runcon} chroot ${TMP_BIND_MOUNT} \
96
+                /usr/sbin/setfiles -F ${_dash_m} \
97
+                /etc/selinux/targeted/contexts/files/file_contexts /
98
+            sudo umount ${TMP_BIND_MOUNT}
99
+            sudo rmdir ${TMP_BIND_MOUNT}
100
+        else
101
+            sudo ${_runcon} chroot ${TARGET_ROOT} \
102
+                /usr/sbin/setfiles -F ${_dash_m} \
103
+                /etc/selinux/targeted/contexts/files/file_contexts ${MOUNTPOINT}
104
+        fi
76 105
     fi
77 106
 done
78 107
 

Завантаження…
Відмінити
Зберегти